|
»
»
»
SUID question
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
SUID question
by Richard Troy
::
Rate this Message:
Hello All, As it's my first post here, I want to say I'm glad this list exists as I'm pretty sure there are folks who can point me in the right directions, as needed... I've been using unix since the 1970s, so I'm pretty familliar with it, and I've been using Linux - and Red-Hat / Fedora since their early days, too, so in general terms, I'm no novice. However, I've been ignoring SELINUX. When I first tried it, it was a huge disaster and I haven't given it another look, but the time has finally come, primarily because I simply _must_ resolve a problem I strongly suspect is caused by SELINUX, and secondarily because I've got a system that runs on just about everything _but_ selinux and provides compute server (think "grid computing") and sophisticated archival services, and it's to the point where it's time that it work on SELINUX systems, too. So, the more immediate problem: On a Fedora host, a "C" based program that launches all the server functionality (including archiving) has its suid bit set (and gid, too) so it runs as the server installation's owner. It's actually pretty smart by validating its environment hasn't been hacked, etc, and then gets to business. This code has somehow broken during a couple of upgrades of Fedora - I didn't notice it at first because as the developer, I always run it as the development installation's owner and as a fluke apparently others haven't experienced this problem or haven't reported it. Recently, however, someone else went to play with it and it refused. Some simple checks indicated that the SUID bit wasn't being honored. The system has SELINUX installed but disabled - the kernel is 2.6.21-1.3194.fc7. It's trivially easy to prove the suid bit is ignored but _why?_ ...There's no known (to me!) reason this should fail! Any pointers GREATLY appreciated. The less immediate issue is really a quest for pointers to the most appropriate source packages so I can see how other programs solve similar SELINUX related issues. Ideally, this code can both archive and restore any file on the system. In addition, it currently - ignoring SELINUX for a moment - tracks all meta-data changes - ownership and permissions, the various dates associated with a file, etc, in addition to file data, so it has the handy trait of both providing an audit trail and an ability to restore data or meta-data as needed. As such it needs to be able to discover what the security context details are so it can record them, in addition to the obvious need to update SELINUX security details on a per file basis.... I don't even know how to do that from the command line, much less write a program to do it! ...However, I'm sure somewhere these things have been already addressed, such as with tar, etc. Please point me to what you think are appropriate models / code that can be examined, etc. And, if there's a well written tutorial intended for people who are already "up to speed" on everything but SELINUX, it would be greatly appreciated. Thank you, Richard -- Richard Troy, Chief Scientist Science Tools Corporation 510-717-6942 rtroy@..., http://ScienceTools.com/ -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: SUID question
by Eric Paris-2
::
Rate this Message:
On Tue, 2008-10-07 at 12:21 -0700, Richard Troy wrote:
> So, the more immediate problem: On a Fedora host, a "C" based program that > launches all the server functionality (including archiving) has its suid > bit set (and gid, too) so it runs as the server installation's owner. It's > actually pretty smart by validating its environment hasn't been hacked, > etc, and then gets to business. This code has somehow broken during a > couple of upgrades of Fedora - I didn't notice it at first because as the > developer, I always run it as the development installation's owner and as > a fluke apparently others haven't experienced this problem or haven't > reported it. Recently, however, someone else went to play with it and it > refused. Some simple checks indicated that the SUID bit wasn't being > honored. The system has SELINUX installed but disabled - the kernel is > 2.6.21-1.3194.fc7. It's trivially easy to prove the suid bit is ignored > but _why?_ fs mounted with nosuid? this is not an selinux'ism.... > The less immediate issue is really a quest for pointers to the most > appropriate source packages so I can see how other programs solve similar > SELINUX related issues. Ideally, this code can both archive and restore > any file on the system. In addition, it currently - ignoring SELINUX for a > moment - tracks all meta-data changes - ownership and permissions, the > various dates associated with a file, etc, in addition to file data, so it > has the handy trait of both providing an audit trail and an ability to > restore data or meta-data as needed. As such it needs to be able to > discover what the security context details are so it can record them, in > addition to the obvious need to update SELINUX security details on a per > file basis.... I don't even know how to do that from the command line, > much less write a program to do it! ...However, I'm sure somewhere these > things have been already addressed, such as with tar, etc. rsync I think was the first package to do this. tar now has selinux label capabilities. you can either get at it though the libselinux interfaces or directly use get/setxattr looking at the security.selinux namespace. Assuming your program runs unconfined (as most things do by default if you don't write policy for them) selinux shouldn't be getting in your way of this type of operation..... I don't think libselinux has much in the way of docs other than grabbing the code and looking at what interfaces it provides... -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: SUID question
by Daniel J Walsh
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Eric Paris wrote: > On Tue, 2008-10-07 at 12:21 -0700, Richard Troy wrote: > >> So, the more immediate problem: On a Fedora host, a "C" based program that >> launches all the server functionality (including archiving) has its suid >> bit set (and gid, too) so it runs as the server installation's owner. It's >> actually pretty smart by validating its environment hasn't been hacked, >> etc, and then gets to business. This code has somehow broken during a >> couple of upgrades of Fedora - I didn't notice it at first because as the >> developer, I always run it as the development installation's owner and as >> a fluke apparently others haven't experienced this problem or haven't >> reported it. Recently, however, someone else went to play with it and it >> refused. Some simple checks indicated that the SUID bit wasn't being >> honored. The system has SELINUX installed but disabled - the kernel is >> 2.6.21-1.3194.fc7. It's trivially easy to prove the suid bit is ignored >> but _why?_ > > fs mounted with nosuid? this is not an selinux'ism.... > >> The less immediate issue is really a quest for pointers to the most >> appropriate source packages so I can see how other programs solve similar >> SELINUX related issues. Ideally, this code can both archive and restore >> any file on the system. In addition, it currently - ignoring SELINUX for a >> moment - tracks all meta-data changes - ownership and permissions, the >> various dates associated with a file, etc, in addition to file data, so it >> has the handy trait of both providing an audit trail and an ability to >> restore data or meta-data as needed. As such it needs to be able to >> discover what the security context details are so it can record them, in >> addition to the obvious need to update SELINUX security details on a per >> file basis.... I don't even know how to do that from the command line, >> much less write a program to do it! ...However, I'm sure somewhere these >> things have been already addressed, such as with tar, etc. > > rsync I think was the first package to do this. tar now has selinux > label capabilities. you can either get at it though the libselinux > interfaces or directly use get/setxattr looking at the security.selinux > namespace. Assuming your program runs unconfined (as most things do by > default if you don't write policy for them) selinux shouldn't be getting > in your way of this type of operation..... > > I don't think libselinux has much in the way of docs other than grabbing > the code and looking at what interfaces it provides... > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You probably want to look at the following SELinux functions. man getfilecon man setfilecon man setfscreatecon # ls -lZ FILE Will list the file context # chcon CONTEXT FILE Will change the context. # restorecon FILE Will ask the system what it should be labeled and make it so. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjsy+AACgkQrlYvE4MpobP/zgCg69jY4IRJChHB+mcS4jDn+Q/I U8MAoNSVB0F5GQ4tttTVr8ZnouhMvAtf =k1UZ -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
| Free Forum Powered by Nabble | Forum Help |
